UpPrevious Next
Sheriff CSM™
ESET Antivirus
When you configure ESET to send log data to Sheriff CSM, you can use the Eset plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:
Plugin Information
Device | Details |
Vendor | ESET |
Device Type | Antivirus |
Connection Type | Syslog |
Data Source Name | eset |
Data Source ID | 1706 |
Integrating ESET Antivirus
Before configuring the log collection, you must have the IP address of the Sheriff CSM Sensor (Deputy).
To configure ESET to send log data to Sheriff CSM
-
After logging into the ESET Remote Administrator (ERA) web console, in the left navigation bar, select the Admin icon (
), then Server Settings > ADVANCED SETTINGS.
-
In the Syslog Server section, configure the following
- Use Syslog server — Toggle the slider to display a check mark.
- Host — IP address of the Sheriff CSM Sensor.
- Port — 514
- Format (in ESET version 6.5 and later) — BSD
-
In the Logging section, toggle the Export logs to Syslog slider to display a check mark.
- Click SAVE.
ESET Remote Administrator can export certain logs/events and send them to the Sheriff CSM Sensor. Events are generated on a managed client computer running ESET security product (for example, ESET Endpoint Security) and consist of events like the following:
- ThreatEvent
- Firewall Aggregated Event
- HIPS Aggregated Event
Any Security Information and Event Management (SIEM) solution capable of importing events from a Syslog server can process these events. They are then written to the designated Sheriff CSM Sensor.
To view JSON-formatted event messages in ESET Remote Administrator *
After you enable the Syslog server, go to
Admin > Server Settings > Syslog Server > Logging and enable
Export logs to Syslog.
Event messages are formatted as JavaScript Object Notation (JSON) objects with some mandatory and optional keys.
The table illustrates the format and meaning of all exported events. Each exported even contains the following:
Attribute format event_type | String | Optional? | Exported Event Type |
ipv4 | string | ✓ | IPv4 address of the computer generating the event. |
ipv6 | string | ✓ | IPv6 address of the computer generating the event. |
source_uuid | string | | UUID of the computer generating the event. |
occurred | string | | UTC time of occurrence of the event. Format is %d-%b-%Y %H:%M:%S |
severity | string | |
Severity of the event. Possible values (least severe - most severe):
- Information
- Notice
- Warning
- Error
- Critical
- Fatal
|
Firewall Aggregated Event
Firewall aggregated events event_type | string | Optional? | Event Name |
source_address | ✓ | ✓ | Address of the event source |
source_address_type | ✓ | ✓ | Type of address of the event source |
source_port | integer | ✓ | Port of the event source |
target_address | ✓ | ✓ | Address of the event destination |
target_address_type | ✓ | ✓ | Type of address of the event destination |
target_port | Integer | ✓ | Port of the event destination |
protocol | ✓ | ✓ | Protocol |
account | ✓ | ✓ | Name of the user account associated with the event |
process_name | ✓ | ✓ | Name of the process associated with the event |
rule_name | ✓ | ✓ | Rule name |
rule_id | ✓ | ✓ | Rule ID |
inbound | Boolean | ✓ | Whether or not the connection was inbound |
threat_name | ✓ | ✓ | Name of the threat |
aggregate_count | Integer | ✓ | Number of identical messages generated by the endpoint within two consecutive replications between ERA Server and managing ERA Agent |
HIPS Aggregated Events
The plugin filters events from the host-based Intrusion Prevention System based on severity before sending them as Syslog messages. The plugin only sends events with severity levels Error, Critical, and Fatal to Syslog.
HIPS-specific attributes Application | string | Optional? | Application Name |
operation | ✓ | ✓ | Operation |
target | ✓ | ✓ | Target |
action | ✓ | ✓ | Action |
rule_name | ✓ | ✓ | Rule name |
rule_id | ✓ | ✓ | Rule ID |
aggregate_count | Integer | ✓ | Number of identical messages generated by the endpoint within two consecutive replications between ERA Server and managing ERA Agent |
Plugin Enablement
For plugin enablement information, see
Enable Plugins.
Troubleshooting
For troubleshooting, refer to the vendor documentation:
http://help.eset.com/era_admin/63/en-US/index.html?admin_server_settings_export_to_syslog.htm
https://help.eset.com/era_admin/65/en-US/admin_server_settings_syslog.html